tempacc1234
Forum Replies Created
-
Forum: Plugins
In reply to: [Trackserver] IOS Apps and/or standard protocols?I’m also interested in iOS support. I’ll try to find someone to test it with some iOS apps, iirc there are some apps that could work. Did you try OsmAnd for iOS?
Quote from its description:
Share your location so that your friends can find you
Let me know if it worked, please.
Forum: Plugins
In reply to: [BuddyPress Activity Plus] This plugin has been discontinuedSeriously, do you have nothing better to do with your life except keep posting on WordPress, anonymously?
Personal attacks? Shame on you. Is this the kind of people that works in your company? As i said before, you look like a bunch of salesman rather than coders.
Other plugins, themes, and even the WordPress have suffered from security vulnerabilities over the years, some going unnoticed longer than others. In fact, the same happens with all different kinds of software including operating systems and the apps running on them. I don’t see you making your life goal to try and ruin those.
WordPress and operating systems have tens of thousands, even millions of lines of code, your plugin has a very tiny fraction of that. For example, this plugin only has 3 front-end user inputs and one of them had a XSS vulnerability for years. Don’t compare yourself with them, it’s absurd and an insult to those people.
If you don’t like the plugins for any reason, just move on, no one is forcing you to be here.
Your actions reflect in the whole community, that’s the reason why i don’t like WPMU DEV. If you want to publish half-baked plugins to lure users to your paid support, do it in your own repository.
Apart from your multiple posts through anonymity, I don’t see you putting your life’s work online to be scrutinised and criticised by others and then degraded by what is starting to feel like an attack as you try to flood the forums with your posts.
Because i know my limits and i know my code is not worth sharing. Do you know your limits? I like my anonymity, in fact i use a VPN and Tor to connect to the internet and i don’t publish my personal data anywhere but where i absolutely have to, any problem with that?
You said it won’t be updated and then it will, so just to clarify for others. We will, of course, fix any security vulnerabilities that we’re aware of, we will then release those updates for everyone. We are therefore maintaining them.
Maintenance is not just fixing vulnerabilities that other users report. Are you going to fix the broken destroy functions? The ugly styles and layout? The possibility to post invalid URLs resulting in empty activity posts? Unless you do that, you are not maintaining this plugin.
Please note that we won’t continue to respond to you, it’s futile, we’ve tried that and you simply wish to insult and argue rather than be civil.
You won’t because you know i’m right. And i didn’t insult anyone, i just gave my opinion, if you don’t like it it’s your problem. If you don’t like critics, don’t publish your code on the internet, like i do.
Forum: Plugins
In reply to: [BuddyPress Activity Plus] Some very simple improvements for styling and UXSo you won’t fix this plugin? I see, that’s the quality of your service. None.
Forum: Plugins
In reply to: [BuddyPress Activity Plus] Some very simple improvements for styling and UXit didn’t have a redesign like some of our plugins did
So… do something about it and stop with the excuses, because anyone who trusts your code after seeing this plugin is absolutely crazy.
Maybe i’ll go and take a look at your other plugins too.
This ticket is not resolved, so don’t mark it as solved.
Forum: Plugins
In reply to: [BuddyPress Activity Plus] XSS vulnerability in 1.6.3Are the broken destroy functions, the insane abuse of ternary operators, the illegible code, the possibility of posting invalid URLs resulting in empty activity posts, the lack of thumbnails for remote images, the ugly styles and horrible layout, “very strict standards on our code quality”?
What about messing with the What’s new form user experience? And the difficulty to make changes without breaking everything else? Wrapping ugly HTML and CSS in ugly JS?
Do you think this is “very strict standards on our code quality”?:
<div class="bpfb_images"> <?php $rel = md5(microtime() . rand());?> <?php foreach ($images as $img) { ?> <?php if (!$img) continue; ?> <?php if (preg_match('!^https?:\/\/!i', $img)) { // Remote image ?> <img src="<?php echo $img; ?>" /> <?php } else { ?> <?php $info = pathinfo(trim($img));?> <?php $thumbnail = file_exists(bpfb_get_image_dir($activity_blog_id) . $info['filename'] . '-bpfbt.' . strtolower($info['extension'])) ? bpfb_get_image_url($activity_blog_id) . $info['filename'] . '-bpfbt.' . strtolower($info['extension']) : bpfb_get_image_url($activity_blog_id) . trim($img) ; $target = 'all' == BPFB_LINKS_TARGET ? 'target="_blank"' : ''; ?> <a href="<?php echo bpfb_get_image_url($activity_blog_id) . trim($img); ?>" class="<?php echo $use_thickbox; ?>" rel="<?php echo $rel;?>" <?php echo $target; ?> > <img src="<?php echo $thumbnail;?>" /> </a> <?php } ?> <?php } ?> </div>Destroying the image handler takes several seconds, is that “very strict standards on our code quality” too?
WP core has thousands of lines of code, how many has this plugin? This plugin only has 3 front-end input fields, and one of them had an XSS vulnerability for several years, is that “very strict standards on our code quality and security best practices”?
Did all this “slip through”?
Stop treating us like we are stupid, because we are not.
Are you trying to bribe me?
Forum: Plugins
In reply to: [BuddyPress Activity Plus] XSS vulnerability in 1.6.3Please, stop. You are embarrasing yourself.
DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.
https://www.acunetix.com/websitesecurity/xss/
If an attacker can abuse a XSS vulnerability on a web page to execute arbitrary JavaScript in a visitor’s browser, the security of that website or web application and its users has been compromised — XSS is not the user’s problem, like any other security vulnerability, if it’s affecting your users, it will affect you.
https://www.acunetix.com/websitesecurity/cross-site-scripting/
DOM XSS is a type of cross site scripting attack which relies on inappropriate handling, in the HTML page, of the data from its associated DOM. Among the objects in the DOM, there are several which the attacker can manipulate in order to generate the XSS condition, and the most popular, from this perspective, are the document.url, document.location and document.referrer objects.
Forum: Plugins
In reply to: [BuddyPress Activity Plus] XSS vulnerability in 1.6.3OMG!
Whilst it’s regrettable and shouldn’t have been there, however, I wouldn’t consider this a true XSS vulnerability.
As far as I can see, the code injection will take place only on the client side for the user that is injecting the script. (same thing can be done by using the browser console). The injected script won’t be saved, therefore, will not affect other users. It can’t be used through reflection either.
You can use social engineering to trick someone to enter the malicious URL in the form. WTF!?
This is a legit URL:
http://www.google.si/imgres?imgurl=http://www.newslinq.com/wp-content/uploads/2014/06/ex-girlfriend-meme-14.jpg&imgrefurl=http://www.newslinq.com/ex-girlfriend-memes/&h=537&w=550&tbnid=gfZV50vHkUdoPnM:&docid=wb_0Bw7bFw4tfbM&ei=sCRKVv-xHIb3PacLaoEA&tbm=isch&ved=0CDAQMygAMfABqFQoTCP_J1rLNlckCcFYZ7DwodQi0ICAAre you telling me you can’t add a malicious script between all that gibberish and trick someone to use that URL?
From Wikipedia:
As the JavaScript code was also processing user input and rendering it in the web page content, a new sub-class of reflected XSS attacks started to appear that was called DOM-based cross-site scripting. In a DOM-based XSS attack, the malicious data does not touch the web server. Rather, it is being reflected by the JavaScript code, fully on the client side.
Do you even know what XSS is?
Forum: Plugins
In reply to: [BuddyPress Activity Plus] XSS vulnerability in 1.6.3Sorry, i don’t have the skills or knowledge to give you good advice. And that is the worst part of all this. A noob like me found in a couple of days a lot of bugs and a big vulnerability in this plugin while WPMU DEV couldn’t find them in 4 years, 4 years! What does that says about WPMU DEV skills? In top of all this, my english is very limited so i can’t express myself correctly.
But i can tell you this:
– Never trust your users, always sanitize user input. It’s better to check things twice than to not be sure if you checked it enough.
– Never trust other people’s code. I’m not saying that you can’t use other people’s code, just don’t install it and expect it to be secure.
– Always check the code for best practices and common vulnerabilities (XSS is in the top 3 of vulnerabilities). Take a look at this plugin’s code, it’s a big mess of bad practices, bugs and unreadable code. Don’t trust anything from WPMU DEV.There are a lot of tools that could help you, like web vulnerability scanners or exploit frameworks (like acunetix, nikto or metasploit). Check exploit databases frequently too. You can check your website for sql injections with sqlmap crawler, don’t forget to check the forms too. Keep everything updated to the last stable version and follow the KISS principle (Keep It Simple, Stupid!).
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”
Forum: Reviews
In reply to: [BuddyPress Activity Plus] I tried to like it, but i can'tXSS vulnerability in 1.6.3
Since this has been fixed i’ll publish here the report i sent to WPMU DEV so everyone can see it and choose if they want to keep using WPMU DEV’s plugins.
I was going to post this in ww.wp.xz.cn support forum, but i don’t want to f**k your users because of your incompetence. I’ll give you 24 hours to update your plugin before full disclosure.
Just another bug in your code, and this is a big one.
Enter one of the URLs below as the image URL, click the preview button and enjoy your XSS:
http://thisisnotamalicious.url"><a href=http://google.com>Click this innocent link! I swear it is safe!</a> <!--Or just redirect to a malicious page without user interaction (change 7 to 8 if you are using https):
http://thisisnotamalicious.url"><script>var x = String(/google.com/);x = x.substring(1, x.length-1);y = location.href;window.location.replace(y.substring(0, 7) + x)</script>Nice job, WPMU DEV. How many years with a XSS vulnerability?
This vulnerability allowed an attacker to execute arbitrary code in the client’s browser just by using an URL similar to the ones i described above. This is a very basic but very dangerous attack and it should have been fixed several years ago.
I guess this vulnerability affects every single version from 1.6.3 to the first one, but i only tested it in 1.6.3.
UPDATE NOW!
Forum: Plugins
In reply to: [BuddyPress Activity Plus] "destroy" functions are brokenThis plugin is a big ugly bug. It needs to be rewritten, or removed from this repository.
Forum: Plugins
In reply to: [BuddyPress Activity Plus] Some very simple improvements for styling and UXMembers should not have to add this by themselves, plugins shouldn’t need this kind of modifications.
Fix your code because the style and layout are just horrible. Not to mention the quality of the code. Ternary operators everywhere and opening and closing php tags for almost every line in interface’s file are just two of many examples i could give you.
Another example is that the plugin doesn’t have thumbnails for remote images, and it just needs a one line modification and a few lines of CSS to make it responsive. It’s just laziness or incompetence, or both.
Thanks, @klyles. I already added some responsiveness to this plugin in my website but i don’t want to share any more code until they fix this plugin. It’s been broken for several years now.
Forum: Reviews
In reply to: [BuddyPress Activity Plus] I tried to like it, but i can'tI didn’t say you offered me anything, i said that it looks like you offer a broken free plugin to lure non tech-savvy users to your paid support, that i think they should keep as far away as they can. Look at this **** (i better “self-censorship” myself because this code made me extremely mad):
<div class="bpfb_images"> <?php $rel = md5(microtime() . rand());?> <?php foreach ($images as $img) { ?> <?php if (!$img) continue; ?> <?php if (preg_match('!^https?:\/\/!i', $img)) { // Remote image ?> <img src="<?php echo $img; ?>" /> <?php } else { ?> <?php $info = pathinfo(trim($img));?> <?php $thumbnail = file_exists(bpfb_get_image_dir($activity_blog_id) . $info['filename'] . '-bpfbt.' . strtolower($info['extension'])) ? bpfb_get_image_url($activity_blog_id) . $info['filename'] . '-bpfbt.' . strtolower($info['extension']) : bpfb_get_image_url($activity_blog_id) . trim($img) ; $target = 'all' == BPFB_LINKS_TARGET ? 'target="_blank"' : ''; ?> <a href="<?php echo bpfb_get_image_url($activity_blog_id) . trim($img); ?>" class="<?php echo $use_thickbox; ?>" rel="<?php echo $rel;?>" <?php echo $target; ?> > <img src="<?php echo $thumbnail;?>" /> </a> <?php } ?> <?php } ?> </div>WTF is that, man? LOOK AT THIS!:
<?php } ?> <?php } ?>It had to be intentionally written that way, nobody could write something like that otherwise. Or is it that you don’t have the skills to write something decent?
Maybe you are talking to me with respect, but WPMU DEV is disrespecting the whole community with this kind of code.
And i did see some of your support agents telling users to go to your website, and i did see the infamous “that isn’t support, it’s customization and you have to pay for it” in your website’s support forum.
It looks like you are a bunch of salesmen, not coders.
Forum: Reviews
In reply to: [BuddyPress Activity Plus] I tried to like it, but i can't“I do really understand your point there”. No, you don’t.
You missed the whole point of my review. Intentionally, i guess.
“Install the plugin, waste a lot of time trying to make it work and come to our forum to find temporary workarounds or pay for support” is not acceptable. It looks like a scam that uses a broken free plugin to lure users to your paid support. Is WPMU DEV a scam? I tried a few WPMU DEV plugins and all of them felt like very amateur work. Are you even coders?
If you want to turn around my experience, update the plugin. And i don’t mean updating it like you have been doing for more than 4 years. Update like it’s 2015, not 2010. What am i saying? This plugin doesn’t need to be updated, it needs to be rewritten. Yes, it’s that bad.
It’s really amazing the amount of time you have to waste with this plugin just to get the style right. Don’t even think in modifying the codebase because, well, it’ll be one of your worst nightmares.
Do you think that broken code is acceptable? Can WPMU DEV produce quality code at all? Take a look at the destroy functions. I’d be ashamed if this was my plugin, and i’m a very bad coder. Templates? Filters? Hooks? Nope, we better wrap HTML in ugly JS. How can we embed pictures? Let’s just throw in an img tag followed by a br tag. Divs? CSS? Thumbnails? What’s that? And i could go on and on and on…
WordPress/Buddypress community should be more demanding. We are grateful for free plugins, sure, but we should ban broken plugins and its developers. Specially when they offer paid support for their, i suppose, intentionally broken plugins. You are hurting this community more than helping it.
I’m starting to think it would be better if you just remove this plugin from this repository if you don’t plan to update it. Maybe someone capable would write a much better plugin than this one. Or Buddypress devs would make this a core feature.
I recommend not to install anything related with WPMU DEV, much less paying them for support.
Forum: Reviews
In reply to: [BuddyPress Activity Plus] Glad it exists, poorly built“Poorly built” is an understatement.
<div class="bpfb_images"> <img src="http://domain.com/wp-content/uploads/2015/10/a.png"><br> <img src="http://domain.com/wp-content/uploads/2015/10/a.png"><br> <img src="http://domain.com/wp-content/uploads/2015/10/a.png"><br> <img src="http://domain.com/wp-content/uploads/2015/10/a.png"><br> <img src="http://domain.com/wp-content/uploads/2015/10/a.png"> </div>br tags? Are you kidding me? Wrap the images in a div and make them 100% width if you want only one image per line, but don’t use br tags.
Forum: Plugins
In reply to: [BuddyPress Activity Plus] "destroy" functions are brokenSorry, i can’t edit. I though i could edit if needed, but i can’t.
If you want to use my code, change “callback()” to “if (callback) callback()” in all the destroy functions and “function(){}” to “false” in the init fuction. The above code works, but it doesn’t update the activity stream until you refresh the page. It works perfect with this changes, at least for me.
Again, sorry. My good intentions are bigger than my coding skills 😛
Line 69:
var destroy = function (callback) { $container.empty(); $('.bpfb_preview_container').empty(); $('.bpfb_action_container').empty(); $('#aw-whats-new-submit').show(); $(window).off("resize.bpfb"); if (callback) callback(); };Line 226:
var destroy = function (callback) { $container.empty(); $('.bpfb_preview_container').empty(); $('.bpfb_action_container').empty(); $('#aw-whats-new-submit').show(); $(window).off("resize.bpfb"); if (callback) callback(); };Line 356:
var destroy = function (callback) { removeTempImages(function() { $container.empty(); $('.bpfb_preview_container').empty(); $('.bpfb_action_container').empty(); $('#aw-whats-new-submit').show(); if (callback) callback(); }); };Line 402:
function init () { $form = $("#whats-new-form"); $text = $form.find('textarea[name="whats-new"]'); $textContainer = $form.find('#whats-new-textarea'); createMarkup(); $('#bpfb_addPhotos').click(function () { if (_bpfbActiveHandler) { _bpfbActiveHandler.destroy(function() { _bpfbActiveHandler = new BpfbPhotoHandler(); $("#bpfb_cancel_action").show(); return false; }); } else { _bpfbActiveHandler = new BpfbPhotoHandler(); $("#bpfb_cancel_action").show(); return false; } }); $('#bpfb_addLinks').click(function () { if (_bpfbActiveHandler) { _bpfbActiveHandler.destroy(function() { _bpfbActiveHandler = new BpfbLinkHandler(); $("#bpfb_cancel_action").show(); return false; }); } else { _bpfbActiveHandler = new BpfbLinkHandler(); $("#bpfb_cancel_action").show(); return false; } }); $('#bpfb_addVideos').click(function () { if (_bpfbActiveHandler) { _bpfbActiveHandler.destroy(function() { _bpfbActiveHandler = new BpfbVideoHandler(); $("#bpfb_cancel_action").show(); return false; }); } else { _bpfbActiveHandler = new BpfbVideoHandler(); $("#bpfb_cancel_action").show(); return false; } }); $('#bpfb_cancel_action').click(function () { $(".bpfb_toolbarItem.bpfb_active").removeClass("bpfb_active"); _bpfbActiveHandler.destroy(false); $("#bpfb_cancel_action").hide(); return false; }); $(".bpfb_toolbarItem").click(function () { $(".bpfb_toolbarItem.bpfb_active").removeClass("bpfb_active"); $(this).addClass("bpfb_active"); }); $(document).on('click', '#bpfb_submit', function () { var params = _bpfbActiveHandler.get(); var group_id = $('#whats-new-post-in').length ? $('#whats-new-post-in').val() : 0; $.post(ajaxurl, { "action": "bpfb_update_activity_contents", "data": params, "content": $text.val(), "group_id": group_id }, function (data) { _bpfbActiveHandler.destroy(false); $text.val(''); $('#activity-stream').prepend(data.activity); /** * Handle image scaling in previews. */ $(".bpfb_final_link img").each(function () { $(this).width($(this).parents('div').width()); }); }); }); $(document).on('click', '#bpfb_cancel', function () { $(".bpfb_toolbarItem.bpfb_active").removeClass("bpfb_active"); _bpfbActiveHandler.destroy(false); }); }